HIPAA Breach Case Studies
by ClinicNerds

Precipitating Event:  Self-reported: Employee reported that she left the patient records on the subway train.

Quote From The Legal Agreement
real name changed to XYZ Hospital

minor modifications for readibility

Interpreting the HIPAA Police

Quote that sends a message:

Some employees should be able to leave with PHI. Other employees should not be allowed to leave with PHI. Everybody must know what they are permitted to do.

Ask Yourself: Do your policies allow some employees to leave the premises with PHI?

Quote that sends a message:

Interesting that they point out details like the envelope and rubber band. Paper medical records need to be physically safeguarded.

Ask Yourself: For paper medical records, what are your policies and procedures?

Additional Comments

XYZ Hospital was forced to implement a temporary ban on removing any PHI from the facility, until the new policies and procedures were in place.

Random inspections of people, places and things is a interesting detail required in the Monitoring Plan:

  1. unannounced site inspections of XYZ’s locations/departments/practices
  2. interviews with any members of the workforce who use PHI
  3. interviews with any members of the workforce involved in implementing the safeguards
  4. inspection of a sample of laptops and USB flash drives that contain PHI and are under the control of workforce members to ensure that such devices satisfy all applicable requirements of the Policies and Procedures
  5. inspection of relevant documents and interviews with workforce members for the purpose of confirming consistent training, implementation, and enforcement of the Policies and Procedures among workforce members

The tone of the language in these legal documents (from early 2011) is, not aggressive, but increasingly cautionary and urgent.

Obligations During HIPAA Probation
  • Shall prohibit any member of its workforce from physically removing PHI from the premises until they have received training on the new policies and procedures
  • Revise the policies and procedures to safeguard PHI
  • Include reasonable protections for such PHI from any intentional or unintentional uses or disclosures
  • Retrain the entire workforce including signed statements that they understand and will abide by the new policies and procedures
  • Designate a new person to Monitor the policies and procedures
  • The Monitor shall document a monitoring plan (see below for interesting details)

Legally called a 'Corrective Action Plan' or CAP, HIPAA Probation is a legal agreement where the HIPAA Police monitor the organziation for 3 years. During probation, there are specific to dos, milestones, deliverables, etc.

Tools From ClinicNerds

To fix these issues before the trouble starts, ClinicNerds offer these tools:

The HIPAA Lifeguard App is a guided, do-it-yourself risk assessment. Includes unlimited assistance encrypting computers.

CCC - the Clinic Collaboration Community - is for sharing polices, procedures and best practices.

Case Study Factsheet

XYZ Hospital is in Massachusetts

Case ID

Fine Amount

Corrective Action Plan (CAP) ?
Yes, 3 Years

Precipitating Event
Self-reported: Employee reported that she left the patient records on the subway train.

HIPAA Police Office
HHS Region 1 - Boston

{ end case study CS-2011-02-14 }